A turning point in money laundering supervision

Key facts:

• The aim of the new EU Anti Money Laundering Authority (AMLA) is to strengthen the monitoring of money laundering and terrorist financing prevention across the EU by obliged entities in the financial and non-financial sectors.
• Obliged entities in the financial sector will clearly face more detailed data and reporting requirements, which will make technical availability and high quality of extensive data fields absolutely essential.
• Data landscapes, analysis capabilities and IT interfaces must be aligned with AMLA requirements at an early stage.

Criminal financial transactions are becoming increasingly digital, global and complex. Money laundering today increasingly makes use of cross-border payments, cryptocurrencies and automated cash flows – in an attempt to conceal the money trail.

The new EU Anti-Money Laundering Authority (AMLA) will also address this issue as part of its remit – with analyses conducted jointly with national supervisory authorities, harmonised supervisory methods and binding data standards.

Initially, around 40 institutions classified as high-risk will be directly affected – from 2028, they will be subject to direct supervision by AMLA in terms of money laundering prevention. However, all other obliged entities in the financial sector will also have to adapt to new requirements – particularly in the management of money laundering-related data.

What has long been standard practice in the ECB's institution-specific supervision – namely detailed data requirements, for example on own funds and liquidity, based on data point models with thousands of entries – is now also beginning to emerge for money laundering and terrorist financing.

Countries such as Italy and Spain can serve as role models – they already have significantly expanded data-based supervisory models for combating money laundering. AMLA, whose Chair Bruna Szego was previously head of AML policy at the Italian central bank, will certainly draw on the experience gained there as it develops its own supervisory approach.

In Germany, where there is currently no data point model of this kind, AMLA's objectives are also casting their shadow. For example, the Federal Financial Supervisory Authority (BaFin) recently sent a data and information request on money laundering prevention to selected institutions.

Participating institutions report that the provision and quality assurance of the requested data required intensive, often manual processing. The main reason for the high level of effort involved is often a lack of technical availability and quality of the data.

With the establishment of a central EU database into which obliged entities in the financial sector must feed structured data via standardised interfaces, and with the introduction of binding data standards, AMLA is setting clear requirements for data provision. The obligation to collect data in a structured, consistent and automated manner poses considerable challenges for financial institutions. Specifically, the following are required:

• Risk data and profiles: Many banks currently collect relevant data attributes for customer or product risks in a decentralised manner, with varying degrees of granularity or only within the framework of internal systems. A standardised definition of data attributes, their technical availability and the ability to evaluate them flexibly according to various criteria are often lacking, as is a corresponding system architecture.
• Transaction data – especially cross-border: AMLA requires detailed classifications even for complex or automated payment flows, including those related to crypto. Existing transaction monitoring systems and data budgets are often not designed for this level of detail.
• Governance and ownership information: For legal entities, the identification of their Ultimate Beneficial Owners, (UBOs) remains an operational bottleneck. This data is also often maintained in a fragmented manner in different systems – often without interfaces for automated aggregation.
• Histories and deletion concepts: The new EU AML Regulation (Regulation (EU) 2024/1624) requires regular retention periods of five years from the date of termination of the business relationship for past incidents, internal audits and suspicious activity reports. But institutions often lack consistent archiving standards and searchable formats, particularly in the case of mergers, migrations or system changes.

These stringent requirements continue to pose technical and organisational hurdles for those subject to these obligations in the financial sector – data is often not linked and processes are not automated:

• Data is stored in different locations, for example in core banking systems, KYC solutions, payment platforms or Excel files. There is often no uniform data definition or structure.
• Lack of metadata structure: Without a central data inventory, it is unclear who owns which data, how up-to-date it is and in what context it is used.
• Manual processes: Much AML-relevant data is still updated manually or evaluated only on an ad hoc basis.
• Inadequate interfaces: Automated, audit-proof transmission to EU systems in accordance with AMLA requirements often first has to be designed and tested.

Many obliged entities in the financial sector will find that their current AML data management and processes are not sufficiently automated, are too fragmented or are only partially standardised. German institutions in particular have no experience with AML data point models and supervisory data point queries.

The key challenge is how to create a consistent, verifiable and supervisory-compliant database across all entities in the group. 

Where appropriate, existing data governance requirements for risk data aggregation and risk reporting, among other things, can be used as a basis in order to leverage synergies from existing implementations. This applies to requirements regarding data quality and availability, as well as the documentation and automation of data delivery channels.

AMLA-compliant data management is a mammoth task: those subject to the regulations in the financial sector can expect to have to populate several hundred structured data fields on an ongoing basis. This requires simultaneous optimisation of several technical and data-related processes:

• Centralisation and harmonisation of data sources (KYC, transactions, sanctions lists)
• Structured data models in accordance with AMLA technical standards
• Interface architecture for automated data transfer
• Dashboards and reporting platforms for internal and external monitoring

The new European supervisory authority will professionalise anti-money laundering efforts – but it requires swift action from those subject to its regulations in the financial sector. For them, AMLA means greater transparency, greater control – and greater responsibility for data.

Those who take a structured approach and invest early on will not only ensure regulatory compliance, but also gain efficiency in a highly relevant risk area.